4

Some passwords like "123456", "admin" are outrageously popular, so are the leet transformations and concatenation of digits.

The users seem to pick up the password suggestions or just copy the passwords pattern of others without giving a thought. The passwords should remain secret, but the fact that passwords of different users in many leaked databases are found to be same or similar indicates that the passwords do not remain secret. Is this just a coincidence that users are using the same password or same rules to transform the password?

The password trend seems to be propagated from users to users as today information get propagated through the internet. This trend also reaches the potential attacker and as a result, in case of the password database is leaked, the cracker succeeds. The passwords that are not cracked, do not follow the popular trend and are thus spared by the cracker.

It is often argued that the human choose passwords that are easy to remember. But the fact that nearly 300,000 Rockyou users used password "123456" indicates that either most of the users simply imitate others in some way for creating the passwords or is it the case that the word generator in the human mind is biased. Learning by imitation is an evolutionary feature. But passwords creation needs uniqueness and not imitation.

So, is this the limitation of human mind (either imitation or biased word generator), when it comes to the password creation?

To prevent the influence of the password propagation, can we give unique suggestions to each user for the password creation? Composition rules applies to each user of that website, can it be altered to each user?

Vilican
  • 2,723
  • 8
  • 22
  • 35
Curious
  • 1,452
  • 2
  • 14
  • 26
  • possible duplicate of [Can the human brain generate cryptographically secure random numbers?](http://security.stackexchange.com/questions/66116/can-the-human-brain-generate-cryptographically-secure-random-numbers) – Xander Jan 16 '15 at 15:16
  • I for one would like to see a statistical comparison of cognitive password generation, and the mental process people use to generate passwords. – makerofthings7 Mar 17 '15 at 16:05
  • 1
    If you're asking whether the reasons why people pick specific passwords over others are purely psychological, cultural, or material, nobody will be able to tell you. It's most certainly a mixture (easier to type is preferred, memorable is preferred) but also depends on the input modality (e.g. mobile-based passwords tend to avoid symbols that require multiple mode changes) and cultural (e.g. USENIX 14 paper on Chinese passwords), plus attitudes to passwords depend on the services where they're used and the value/risk perceptions of people towards those specific services. – Steve Dodier-Lazaro Jun 16 '15 at 14:22
  • it seems that we can create model for password generation by weighing in different factors – Curious Jun 17 '15 at 06:36

3 Answers3

3

I think you're misunderstanding users. People can't be understood as code (i.e. a "biased word generator"). People have different motivations and understandings of the world than you do or I do.

Some really don't care if they get hacked. Some don't understand that automating attacks are relatively trivial. Some think that "why would anyone attack me?". They don't understand that automation doesn't care about them personally.

RockYou is a free "social media gaming website". Is that really a site that a lot of users care about security? I wouldn't, and would likely use an easy to remember password that I don't care about. I also didn't care about my NY Times password back when they required registration. I believe it was "password" (Go ahead hax0rz, hack my NYT account!).

Steve Sether
  • 21,530
  • 8
  • 50
  • 76
2

I use insecure password for throwaway-accounts that have 0 value to them. Some sites generally have a low security standard and using a password like 123456 gives hackers of those sites less information to your actual passwords.

The other problem is that sites have arbitrary constrains on passwords. When passwords would have unlimited maximum length, unique passwords would be much easier to generate. Many sites limit user password-length to 4-5(pin like logins with 3 tries), 8, 12 or 16.

That means passwords that are easy to remember need to be 1-3 words that fit into 12-16 characters. This limits the pool severely. The fact that every site has arbitrary constraints, also means that once you have a good password that fits most schemes, you are more likely to reuse it, because remembering 17 different accounts names, with different passwords which all have different constraints is nearly impossible.

If you want users to generate unique passwords, give them a minimum of 10 characters and unlimited/high maximum length.

This xkcd sums it up pretty heavily:

To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize.

HopefullyHelpful
  • 1,254
  • 1
  • 12
  • 17
1

Most of the people don't have the sense of what an attacker can do to try to guess their passwords.Most of the common internet user think that something like "name.of.the.favorite.singer+date.of.birth.reversed" is somehow secure because in their thoughts a human cannot guess something like his favorite singer name + the date of birth REVERSED.Maybe they think they're secure until they found out the speed and simplicity of an on-line dictionary attack. But I've to say that is not just a lack of internet culture the problem. A lot of people that know tools like pwgen to generate password,actually don't use them because password that are not "human" are very difficult to remember without a considerable effort.Really few person are willing to do a that effort for something as a password. Comfort always win when it comes to human mind.

Azazel
  • 51
  • 1
  • 5
  • If a service provider isn't sophisticated enough to stop online dictionary attacks, they don't deserve to be in business. The example you provided isn't really all that bad, and would be difficult to guess if you only allowed 5 tries before locking the account. Remember, most of us carry around little cards with us that have only 10,000 combinations that give access to our bank accounts! The security is provided by limiting the amount of attempts at the PIN code, and limiting withdrawal amounts. – Steve Sether Jun 15 '15 at 21:30
  • @SteveSether Yes,it's true when you say that a not sophisticated provider isn't worth an hack. The problem is that there's no one-shot(or at least none that i know) way to stop a dictionary attack,specially if we're talking about something as account harvesting and not single user cracking. OWASP has a page that explain the downside of account locking and how for certain service that must guarantee a 24/7 functionality is not possible to implement it(not in a so strict way to completely stop a dictionary attack). https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks#Locking_Accounts – Azazel Jun 16 '15 at 08:01
  • @azael Yes, there's tradeoffs. There's only so much you can protect against and at some point the responsibility falls to the user. I still believe the password example you gave is NOT a bad password. For online attacks no attacker can generate millions of guesses a minute to crack that password. Also, attacker resources aren't infinite. Even if an attacker has an entire class A domain and millions of IPs, it wouldn't be difficult to detect masses of failed attempts coming from the domain, and ban the entire subnet. – Steve Sether Jun 16 '15 at 14:01
  • @SteveSether, You're only considering the strength of the password against an unknown attacker who has no knowledge of the intended victim. If the attacker knows the person, knows they're date of birth and favourite singer (Not terribly secret information) then this password is next to useless. – Chris Murray Jun 16 '15 at 15:39
  • @ChrisMurray Yup. People that know you will be able to attack you easier. That's always the case. Security isn't perfect, and I think there's often a hidden underlying assumption that is can be, or that that's really what we're after. Security is ALWAYS about tradeoffs and mitigating risk. Risk is something we need to manage, but can't eliminate. – Steve Sether Jun 16 '15 at 15:58